From 60bc31c88687319710840eeef063939dd3e73769 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Thu, 6 Mar 2025 18:51:47 -0300 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Michael Dawson Signed-off-by: Rafael Gonzaga --- .../vulnerability/updates-cve-for-end-of-life.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md index 8aa40ce817ba5..7ce1871b949f2 100644 --- a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md +++ b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md @@ -6,11 +6,16 @@ layout: blog-post author: Rafael Gonzaga --- -# Rationale for Issuing CVEs on End-of-Life Node.js Versions - -**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 have been -rejected by MITRE and therefore the Node.js team decided to update previous -CVEs to cover EOL releases, reflecting their ongoing security risks. +# Update on the issuance of CVEs to mark End-of-Life Node.js Versions + +**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 issued to +tag EOL versions have been rejected by MITRE. +The Node.js team has, therefore, decided to update previous vulnerability specific +CVEs to cover EOL releases, reflecting their ongoing security risks. This means that +all new CVEs issued will include EOL releases in the applicability until we have specific +information that indicates a CVE does not apply to an EOL release line. The project +does not plan to evaluate CVEs against EOL lines but information provided to the +project may be used to update the applicability if/when it is available. On January 21, 2025, Node.js released security patches for four active release lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions: